EternalBlue Comes Home to Roost, In Baltimore: Will We Learn From Our Mistakes?

If there’s one thing we don’t need at this juncture, it’s our own government’s cyber weapons being used against us. Yet, it seems that may be what happened in early May when city workers in Baltimore, MD, were greeted by locked screens and messages demanding a ransom to free up hijacked files.

According to a New York Times report, the attackers froze computers and shut down email, and perhaps most significantly, hijacked systems used to complete real estate deals, effectively shutting down one of the city’s most important sources of economic activity just as the spring real estate season was heating up.

For whose who really want to be riled about this particular incident, I present as evidence the WannaCry ransomware attack, a coordinated global attack from two years ago that made use of a piece of intelligence-gathering code called EternalBlue that was developed by the National Security Agency specifically to exploit a vulnerability on Microsoft Windows machines. That attack, which was ultimately blamed on North Korea, was made possible when a group known as the Shadow Brokers stole EternalBlue and dumped it online.

Since then, EternalBlue has shown up time and again, all over the world, and has been tied to hundreds of thousands of attacks in a single day. More recently, local U.S. governments in cities such as Allentown, Pa. and San Antonio have found themselves on the wrong end of EternalBlue-powered attacks.

In other words, Baltimore has lots of company, and at least one observer believes it’s high time for the N.S.A. to be accountable for the chaos its stolen work has wrought.

Thomas Rid, a security expert at Johns Hopkins University, told The Times that the theft of EternalBlue was “the most destructive and costly N.S.A. breach in history,” and that despite numerous calls for explanation, “the government has refused to take responsibility, or even to answer the most basic questions.”

That hadn’t changed a week later, when Rep. C.A. Dutch Ruppersberger (D-MD) told The Times that senior N.S.A. leaders had insisted to him that there was no evidence EternalBlue had played a role in the attack.

Given that former N.S.A. employees told The Times that before the Shadow Brokers’ theft forced its hand, the agency had used EternalBlue for five years without ever considering informing Microsoft of its vulnerability, the N.S.A. remains culpable for its actions, regardless of the role EternalBlue has played in the Baltimore attack.

“The country still needs answers on how these tools fell into the wrong hands in the first place,” the Washington Post wrote in an editorial. “It also needs mechanisms in place to keep them in the right ones going forward.”

As tempting as it is to heap blame on the N.S.A., a piece in Fortune made the cogent point that Baltimore officials had no one to blame but themselves, and that there’s no excuse for an organization to have failed to update its systems against a known vulnerability for which Microsoft issued a patch two years ago. 

Some observers believe that chasing vulnerabilities with patches is fool’s gold, and that in the present environment, in which the tools and the attacks they’re used for keep growing increasingly sophisticated, government entities should consider learning how to store records on Blockchain, thus making the information essentially hack-proof.

Meanwhile, Ruppersberger came to local municipalities’ defense arguing that patching is a costly and time-consuming process that is often beyond their capabilities, and that local governments need federal assistance to adequately protect their networks.

In other words, this attack could be a critical one that tips this important debate into the public consciousness. Clearly, the secretive use of EternalBlue and its subsequent theft point to the need for more thoughtful oversight of our intelligence gathering activities, especially when we’re developing powerful hacking tools to support them. It’s also obvious that cash-strapping our local governments and then expecting our federal government — the same one that created and lost track of the very tool that’s being used to power these attacks — to step in and protect those local governments, is flawed thinking at best, and downright lunacy at worst.

So, here’s to this episode generating some meaningful dialogue that leads to real change. Of course, the more likely scenario is that time will pass, this attack will disappear in the rear view mirror, and we’ll be back here pondering this same topic when the next local government falls victim.

But one can hope, can’t one?

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Tony Kontzer. Read the original post at: